I’m good. I know very well there are uses cases for a self signed cert. LE is still far more practical for 99% of use cases, even internally.

But then you have to distribute CAs to all the devices that will reach this service, and not all devices allow that.

I’m with you, but that’s why I’m automating certificate expiry checking somewhere else (in my home assistant install to be exact).

https://grocy.info/

Has Home Assistant integration as well.

I think you can do push-to-talk/drop-in at least via tts using BroswerMods on home assistant, that would be one option.

Navidrome and Gonic are very active projects yes. Why would it not be a thing anymore? Works fantastic.

Yes my answer is for use with Let’s Encrypt.

Fair, I don’t know why I read OPs post as asking for let’s encrypt certs. Internal CA is indeed an option.

They do not. See my other reply about DNS verification.

OP is asking for cases where you don’t want to allow the service (or reverse proxy) to be accessible via the web.

You can use the DNS verification method. Either using nsupdate with bind or what ever protocol your DNS provider and favorite ACME (certbot, acme, lego, etc) utility supports. As long as your DNS server is publically reachable that will work, even if the subdomain itself doesn’t exist publically.

Look into Snapcast

Might I ask, why exactly do you feel the need to have a webapp for CAD rather than a hard client?

Have you never heard of OpenStreetMap?